Browse Source

Merge "Hide AccountLocked exception from end users"

changes/50/783450/2
Zuul 3 months ago
committed by Gerrit Code Review
parent
commit
63ef8f81f3
  1. 2
      keystone/notifications.py
  2. 2
      keystone/tests/unit/common/test_notifications.py
  3. 10
      keystone/tests/unit/identity/test_backend_sql.py
  4. 8
      releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml

2
keystone/notifications.py

@ -580,6 +580,8 @@ class CadfNotificationWrapper(object):
taxonomy.OUTCOME_FAILURE,
target, self.event_type,
reason=audit_reason)
if isinstance(ex, exception.AccountLocked):
raise exception.Unauthorized
raise
except Exception:
# For authentication failure send a CADF event as well

2
keystone/tests/unit/common/test_notifications.py

@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
password = uuid.uuid4().hex
new_password = uuid.uuid4().hex
expected_responses = [AssertionError, AssertionError, AssertionError,
exception.AccountLocked]
exception.Unauthorized]
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = PROVIDERS.identity_api.create_user(user_ref)

10
keystone/tests/unit/identity/test_backend_sql.py

@ -613,7 +613,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
)
# test locking out user after max failed attempts
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -642,7 +642,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request():
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -661,7 +661,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request():
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -687,7 +687,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request():
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -697,7 +697,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# repeat failed auth the max times
self._fail_auth_repeatedly(self.user['id'])
# test user account is locked
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)

8
releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
Fixed the AccountLocked exception being shown to the end user since
it provides some information that could be exploited by a
malicious user. The end user will now see Unauthorized instead of
AccountLocked, preventing user info oracle exploitation.
Loading…
Cancel
Save